Cyber security threats are becoming increasingly persuasive, and cyber attacks continue to evolve to overcome existing cyber security efforts. Existing intrusion detection systems (IDSs) fail to adequately detect and respond to many never-before-seen cyber security threats to avionics devices in operationally relevant time scales. Limitations of traditional IDSs include high computing costs, high false-positives, low detection rates, inability to detect new types of attacks, and rigid, inflexible deployments.
Operational environments typically impose severe limits on size, weight, and power (SWAP) available for vetronics devices. Additionally, with respect to safety issues related to vetronics, there are significant regulations governing the development, manufacturing, deployment, and maintenance of vetronics devices. Further, existing vetronics devices typically have limited and/or intermittent connectivity.
Traditional information technology (IT) IDSs are typically either network-based IDSs (NIDSs) or host-based IDSs (HIDSs).
Typically, an NIDS monitors a given network segment and attempts to detect intrusions that utilize such network segment. To perform such monitoring, the NIDS is configured with rules tailored to the network segment being monitored. Due to a high quantity of data typically traversing the network segment, the NIDS is typically implemented on a large, high powered, and expensive computing platform. Due to complexity of the data typically traversing the network segment, NIDS rules commonly only identify previously-known intrusion signatures; such signatures are unable to detect previously-unknown intrusion events. Due to typically limited connectivity of typical vetronics devices, the rule signatures are typically unable to be updated in a real-time manner, thus significantly increasing the time to update new signatures for recently discovered intrusions.
An HIDS is typically implemented with a separate application running on a computing device that attempts to detect intrusions by monitoring an operating system (OS) and applications running on the computing device. Due to complexity of the running applications and the OS, the rules commonly are only able to identify previously-known intrusion signatures; such signatures are typically unable to detect previously-unknown intrusion events. Similar to the NIDS, the typically limited connectivity of vetronics devices prevents rules signatures from being updated in a real-time manner, which significantly increases the time to update new signatures for recently discovered intrusions. Additionally, the HIDS typically requires significant additional system resources (e.g., processor resources, memory resources, networking bandwidth (e.g., bus bandwidth) resources, and power resources) for processing HIDS operations.
Some conventional IDSs use a separate ‘guard’ application that monitors all traffic going into an application. However, this separate guard application requires significant additional system resources (e.g., processor resources, memory resources, networking bandwidth (e.g., bus bandwidth) to perform the HIDS's monitoring. Additionally, the separate guard application is typically highly coupled to the corresponding monitored application such that any changes to the corresponding monitored application are also required to be made in the separate guard application; implementing changes in both the corresponding monitored application and the separate guard application increases development costs and time to market. Additionally, the separate guard application typically duplicates all of the checking and state logic of the original application, which requires availability of significant additional resources (e.g., processor resources, memory resources, networking bandwidth (e.g., bus bandwidth) resources) to perform the duplicative processing associated with the separate guard application.